Recently, securtity researchers have identified a threat actor named BelialDemon offering new malware. Read on to know more about it…
BelialDemon, a threat actor who is a member of multiple underground forums and offers Malware-as-a-Service (MaaS), has been identified by Palo Alto Networks Unit 42 researchers. The threat actor marketed a new MaaS called Matanbuchus Loader in February 2021, with a base rental fee of $2,500.
Multiple organisations, including large universities and high schools in the United States, as well as high-tech firms in Belgium, have been targeted by Matanbuchus, according to Unit 42 researchers. BelialDemon is active in the production of malware loaders and is the main developer of TriumphLoader. The threat actor has previous experience marketing such malwares and loaders.
The attacker was specifically planning to recruit three people as part of its MaaS offering, according to posts on the underground forum. Matanbuchus’ sample led to the identification of the file in the wild — ddg[.]dll, that is actively dropped via hxxp:/idea-secure-login[.]com and then stored locally as hcRlCTg[.]dll.
About Matanbuchus Loader
BelialDemon’s name is based on a biblical theme. The word Belial, as well as the name of the loader Matanbuchus, come from Isaiah’s Ascension. Typically, threats of this nature aren’t at the core of hacker attacks; rather, they’re used to distribute following payloads and exploit security flaws in the system.
Matanbuchus is a malware loader that can run arbitrary code and is used to drop or fetch second-stage malware from command and control servers (C2). Among other capabilities, Matanbuchus MaaS can run an EXE or DLL file in memory, use schtasks.exe to add or change task schedules, and run custom PowerShell commands.
The Matanbuchus Loader DLL is dropped using a Microsoft Excel document as the initial vector. When users open the Excel document, it prompts them to activate macros in order to view the information.
DLL’s major purpose is to drop the main Matanbuchus DLL file. However, it first makes a series of API calls that are commonly seen in anti-debugging and anti-virtualization checks.
Matanbuchus’ Capabilities
The following Matanbuchus’ capabilities are described in depth by Unit 42 researchers in their report:
* The ability to launch a .exe or .dll file in memory;
* The ability to leverage schtasks.exe to add or modify task schedules;
* The ability to launch custom PowerShell commands;
* The ability to leverage a standalone executable to load the DLL if the attacker otherwise has no way of doing so.
A Brief Conclusion
The malware loader is currently available for purchase at underground markets. As a result, security experts advocate that enterprises use genuine threat intelligence solutions to bolster their defences against such threats.
According to this Unit 42 study, threat hunting on the Dark Web can yield threat intelligence and researchers concluded “how small pieces of seemingly disparate data can chain together to strengthen analysis, extract indicators and improve defenses for your organization before being impacted,”